Krebs on Security

In-depth security news and investigation

Who’s Selling Credit Cards from Target?

The previous twoposts on this blog have featured stories about banks buying back credit and debit card accounts stolen in the Target hack and that ended up for sale on rescator[dot]la, a popular underground store. Today’s post looks a bit closer at open-source information on a possible real-life identity for the proprietor of that online fraud shop.

Rescator[dot]la is run by a miscreant who uses the nickname Rescator, and who is a top member of the Russian and English language crime forum Lampeduza[dot]la. He operates multiple online stores that sell stolen card data, including rescator[dot]la, kaddafi[dot]hk, octavian[dot]su and cheapdumps[dot]org. Rescator also maintains a presence on several other carding forums, most notably cpro[dot]su and vor[dot]cc.

A private message on cpro[dot]su between Rescator and a member interested in his card shop. Notice the ad for Rescator’s email flood service at the bottom; this will become important as you read on.

In an Aug. 2011 thread that has since been deleted, Rescator introduced himself to the existing members of vor[dot]cc, a fairly exclusive Russian carding forum. When new members join a carding community, it is customary for them to explain their expertise and list previous nicknames and forums on which they have established reputations.

In the thread pictured above, we can see Rescator listing his bona fides and telling others he was “Hel,” one of three founders of darklife[dot]ws, a now-defunct hacker forum. In the screen shot below, Rescator clarifies that “Hel, in fact, is me.”

Rescator says his former nickname was “Hel,” short for Helkern, the administrator of Darklife.

The only darklife member who matched that nickname was “Helkern,” one of darklife’s three founders. Darklife administrators were all young men who fancied themselves skilled hackers, and at one point the group hacked into the venerable and closely-guarded Russian hacking forum cih[dot]ms after guessing the password of an administrator there.

Darklife admin “Helkern” brags to other members about hacking into cih[dot]ms, a more elite Russian hacking forum.

In a counterattack documented in the entertaining thread that is still posted as a trophy of sorts at cih[dot]ms/old/epicfail, hackers from cih[dot]ms hacked into the Darklife forum, and posted personal photos of Helkern and fellow Darklife leaders, including these two of Helkern:

And a self-portrait of Helkern:

So if Helkern is Rescator, who is Helkern? If we check at some of the other Russian forums that Helkern was active in at the time that Darklife was online in 2008, we can see he was a fairly frequent contributor to the now-defunct Grabberz[dot]com; in this cached post, Helkern can be seen pasting an exploit he developed for a remote SQL injection vulnerability. In it, he claims ownership of the ICQ instant messenger address 261333.

In this introductions page from a Russian language gaming forum, a user named Helkern also was active in 2008 and claimed that same ICQ address. Helkern said his email address was root@helkern.net.ua, his Skype address was helkern_skype, and that he lived in Odessa, the third-largest city in Ukraine. Helkern — going by his shortened username “Hel,” also was a VIP member of xaker[dot]name. In this cached post we can see him again claiming the 261333 ICQ address, and pointing out to other members that his real nickname is Helkern.

Andrew from Odessa’s LiveJournal profile pic from the account ikaikki”

I located a relatively recent Livejournal profile (ikaikki.livejournal.com/profile) for an Andrew Hodirevski from Odessa, Ukraine that includes several profile pictures which are remarkably similar to the photos of Helkern leaked by the cih[dot]ms guys. That profile (“ikaikki“) says Hodirevski’s email address is ikaikki@livejournal.com, that his Jabber instant message address is ikaikki@neko.im, and that his Twitter account is “purplexcite” (that Twitter has since been deleted). In almost a dozen posts on LiveJournal, Hodirevski talks about his interest in Java programming, and even includes a fewpictures of himself attending an instructional class on Java.

The same anime profile image for Andrew’s LiveJournal page is also on the LinkedIn profile for an Andrew Hodirevski from Ukraine, and the two pages share the aforementioned Twitter profile (purplexcite). Andrew’s LinkedIn page also says he is the administrator and Web developer at a hosting company in Ukraine called ghost.ua.

That site is no longer online, but a cached copy of it at archive.org shows that the business is located in Odessa at this address, and the phone number +38 (048) 799-53-13. Ghost.ua lists several pricing plans for its servers, naming them after different despotic leaders, including Fidel Castro and Muammar Gaddafi (it is spelled “Kaddafi” on Ghost.ua). Recall as I mentioned at the top of this post that one of the clones of the card shop at Rescator[dot]la is kaddafi[dot]hk.

This page at it-portfolio.net lists an Andrey Hodirevski from Odessa with the same anime profile image, the “purplexcite” Twitter profile, and a Skype address by the same name. It says his professional skills include programming in Java, CakePHP and MySQL, among others. This Google groups discussion about CakePHP includes a message from an Andrey Hodirevski who uses the email address andrew@purpled.biz.

Purpled.biz is no longer online, but a cached copy of it from archive.org shows it was once Andrew’s personal site. Here we learned that Andrew’s current goals (as of 2010) were to get married to his girlfriend, buy the $20,000 Toyota Solara pictured below, move to Helsinki, and to achieve world domination. In order to accomplish the latter goal, Andrew jokes that he “will probably have to rob all the banks in the world.”

After searching my huge personal archive of hacked cybercrime forums for Andrew’s various email and Jabber addresses, I found several private messages sent by different users on the Spamdot[dot]biz forum who recommended to other members the “ikaikki@neko.im” Jabber address as someone to contact in order to hire a service that could be used to flood someone’s Gmail inbox with tens or hundreds of thousands of junk messages. Recall that this Jabber address is the same one listed at Andrew’s LiveJournal profile.

To bring this full circle, one of the many services that Rescator sells these days is a popular email flooding service at rescator[dot]me. Turns out, Yours Truly has already been the direct target of an attack launched through Rescator’s service; I wrote about it in this July 2012 story, Cyberheist Smokescreen: Email, Phone, SMS Floods.

The email flood service at rescator[dot]me

I have no idea if Rescator/Helkern/Andrew was involved in hacking Target, but it’s a good bet that he at least knows who was. I sought comment from various contact addresses listed above for this individual, and received a reply from someone at kaddafi[dot]me who said he knew Andrew and would relay my questions to him. Ultimately, he came back to me not with answers, but with a bribe not to run my story.

[Image] (2:03:56 PM) The privacy status of the current conversation is now: Private

(2:04:11 PM) kaddafi.me: Yeah well you should after someone sent you drugs from silkroad.

(2:04:24 PM) krebs//:

(2:04:59 PM) krebs//: you’re right of course, it’s andrew

(2:05:17 PM) kaddafi.me: What’s all the commotion about Rescator anyways?

(2:05:20 PM) krebs//: well i have a story about him going up tomorrow

(2:05:23 PM) kaddafi.me: Did you even notice other shops are selling same shit?

(2:05:32 PM) krebs//: sure

(2:05:46 PM) krebs//: but I’m not looking at other shops right now

(2:06:05 PM) kaddafi.me: Well you should )

(2:06:10 PM) krebs//: in time

Kaddafi promised a response by 10 p.m. ET yesterday. This morning, not seeing a response, I pinged this individual again, and received the following response:

(10:08:46 AM) kaddafi.me: Hi.

(10:09:19 AM) kaddafi.me: You better contact me from another jabber that’s not associated with your name, I’ve got an offer for you.

(10:11:12 AM) krebs//: why from a different jabber?

(10:11:33 AM) kaddafi.me: Because I’ve got an offer for you. So you don’t think I’m trying to play games and fool around with logs after you read my offer.

(10:11:52 AM) krebs//: what kind of offer?

(10:12:27 AM) $10.000 not to post your article

Obviously, I did not take him up on his offer, assuming he was not just messing with me. Here is a mind map I put together (using MindNode Pro for Mac) that outlines how much of this information was derived and connected.

Y

The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation.

This entry was posted on Tuesday, December 24th, 2013 at 10:28 am and is filed under A Little Sunshine, Breadcrumbs, Data Breaches.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

269 comments

As someone who used a debit card at Target during the data breach period, I’ve been obsessively checking my bank statements for anything abnormal. I obviously haven’t seen anything yet, but I can’t help but imagine how many other shoppers like myself already think they’re in the clear because things have been quiet—when characters like this “Rescator” guy could be holding our information off to the highest bidder.

This is why this situation won’t be dying down anytime soon, even if Target wants it too. Folks might be crying fraud as late as March. Moral of the story: Always carry cash!

Why wouldnt you just have a new card issued? In most cases a new card can be issued without canceling the old card until the new one arrives, and even if you do have to go without a card for a few days you can use cash and you will be protected.

You can cancel your card now, or you can do it after there is fraud, either way, same process. Based on the carding forums it looks like he may be moving as many as 50,000 cards a day, so its only a matter of time before all the numbers are out there and fraudulent charges hit.

You don’t even have to go without a card if you have a local branch office and don’t mind a trip there (this is what I did). Whenever you are ready to cancel the current card, call the bank to have them cancel, then go to the local branch and have them create a temporary new card that is linked to your account. Your new permanent card will be mailed in a few days and you can trash the temporary card.

Exactly. The day I heard this news about this Target breach, I ran to my bank, cancelled my debit card and ordered a new numbered debit card. Writing checks for over a week has been a pain but well worth it as far as some semblance of security.

Ms. Katrina Lowe . . . My sentiments exactly.
(For Years I have been warning folks to use Cash when you can.)
Cash is King IMO but unfortunately society is downgrading cash and really pushing for the use of MORE plastic!!!

I actually called Bank of America to request a new card…and they told me they had actually shipped one out to me already (sans my request). I guess they’re doing this automatically now? I had no idea, but great. At least they know this can still cause issues down the road.

It’s best that you cancel you’re debt card for a new one. When they sell credit cards over the “Black Market” a good amount get sold in bulk, so for example. They sell 100 credit card numbers for $500.00 or for bitcoins (The unregulated online currency) but they sell the same list to many different people around the world, so they keep trying to use one until it gets accepted. So the odds may not be in you’re favor. I wouldn’t stress yourself by looking at your bank statement.

Rescator[dot]la down too, although it has gone up and down a bunch the past few days. I tried through tor as well without being able to get there. Curious if its actually down or if the US has made an attempt to block access in some way.

Brian, I understand the primal urge to seek out more when you find clues and hints and you know more than everyone else, but don’t you at some point expect more retaliation than a bundle of drugs from silk road arriving at your doorstep? I mean, to call out criminals publicly by name seems bold and unnecessary. Aren’t there more effective ways to help in the fight against cyber crime?

My bank already called me and told me my card was one of the ones stolen, and they replaced it. I don’t know how they would know this. Maybe they saw I made a transaction at Target and decided to take preventive measures? Whatever it was, its a pain in the ass to update my card information everywhere.

QUESTION – Any word on just how the malware made it into Targets systems as of yet? I saw some articles out in the news sites saying that Target confirmed this as a malware, but I cannot find anything to say if this was a result of a spear phishing attack or a break in through a back door or some other type of attack?

Top executives lack technical understanding. They provide small budgets for IT departments.
This happens all over the place. The fact that a system looks nice in the outside may be a mess in the inside.

They are greedy when it comes to hire good developers and now we all have to pay for it.

CNNMoney
Target says ‘up to 70 million’ names, email addresses, and…
The Verge ‎- by Aaron Souppouris ‎- 20 hours ago
The retailer says up to 70 million names, mailing addresses, phone numbers or email addresses were stolen as part of last November’s hack. … Target is extending that offer, now saying that any customer who has shopped at …
So now they are saying addresses, emails ( not uncommon) etc were accessed. Quite interesting as having delt with people that did card scams ( mostly by theft) and money laundering they always said the more they could get the better, but why was target maintaining all that information. Even the CVV.

I doubt that he has anything to do with the hack. CC numbers went on sale in Russia 2-3 weeks prior and they were 20-30x times cheaper comparing to what Andrey was charging. He is just a 2nd or 3rd-tier re-seller.

That was a down-vote to a very derogatory comment which has subsequently been removed …

Brian’s work and posts deserve a “+1000″ up-vote.

Background: Some websites (like ZH, for instance, if one is logged into the site) will show accrued up-vote/down-vote values next to a poster’s moniker or avatar .. +1 or -1 posting is meant as a sign of up-voting or down-voting in lieu of a website supplied ‘vote’ system.

(This is perfect example why, in any case or situation, the entire story should be found out before making judgement. I did not want to copy the ‘bad’ comment to which I had the “-1″ or down-vote response. )

Just to be perfectly clear here, credit card fraud is not prosecuted in the US. Filing a police report might make you feel good, but because the card issuer will not prosecute the police don’t really care. You don’t have standing because the card issuer just cancels the charge so you have lost nothing.

The card issuer (where your card comes from) isn’t interested because they push it back on the merchant that accepted the card. The merchant doesn’t care because they are insured.

I get a card “borrowed” like this about once a year. I have never heard of any cardholder that actually lost anything. It can be a nuisance, but at least you aren’t out any real money.

Ignore P.Crowley’s opinion on making a police report. Reports are very helpful records if identity theft occurs or if, down the line anyone has to make an insurance claim. None of us know exactly what has happened during this breach. It may turn out identity theft, or more, is involved. Having a report made with any of the following: consumerfinance.gov, ftc.gov, ic3.gov, state level consumer affairs, or local police will help protect from further/future events.

Police reports are useless because most police departments are useless.

Many cops A) are arrogant and shouldnt be cops to begin with and also B) very limited on the technology training they recieve and dont realize they cannot process the scene of a computer crime in the same manner that one does say a murder scene. Cant spray luminol on the computer and have it tell you who logged in (if only it was that easy). The first mistake is that they often turn off the computer for processing which causes a loss of volatile memory.

I also beg to differ while they dont work to extradite foreign criminals the mules do get poked in many cases (look up Albert Gonsales – AKA TJX Hacker).

The problem herein lies with the PCI council and the card brands they are complacent to allow large merchants to go on with substandard networks because it is all a money game. Why would I tell you you cannot take cards if it was going to cost me 10 million a year …. when I can just charge you 15 million until youre “secure and compliant” and if you get hacked in teh interim I can just say its there fault… TOTAL BS

Over a decade ago my wife and I had our identity stolen for the first time. It happened when we moved apartments within a complex (from one building to another) and arranged (we thought) for the Post Office to redirect our mail. We also contacted the person who moved into our old apartment and asked them to be on the lookout for any mail that wasn’t redirected.

Someone exploited a vulnerability at the mailbox area in our old building (one that persists to this day) and obtained credit card applications that were not redirected to us. The first we knew of the problem was when credit cards started turning up at our new address as a result of mail redirection.

When we talked to the issuers, some revealed that they had issued cards against the wrong date of birth, SS No, and home telephone number.

When we asked what we should do, all said that they were willing to re-issue the cards with corrected information, in spite of the fact that they had been fraudulently obtained.

We thought long and hard and decided that if we agreed to have the cards re-issued to us, we would at least have some control of the situation.

Declining the cards would mean that they could be applied for again without our knowledge, and next time we might not receive them – but (based on reports at the time) we might still end up being liable for charges run up in our names.

The police refused to take a report because they said we were not the victims (!) – the credit card issuers were – and unless the issuers chose to file a report, we had no standing since we had lost no money.

By chance we discovered that one card issuer alone was dealing with 16 similar occurrences on the property in different buildings, but had no intention of filing a police report.

We tried filing reports with other agencies but were unable to, for one reason or another (for example, the FBI were not interested because we had not lost a sum in excess of $5,000).

Some of the false information persists, despite our instructions to the credit reporting agencies to erase incorrect data arising from the fraudulent applications. It seems to have a life of its own, partly (I suspect) because of the poor accountability of the CRAs.

Over the years I have discovered that the best defense against financial exploitation by criminals is to maintain poor credit

I’m not going to get into all the ways of doing “Identity Theft” but stop feeding the scammers out there like LifeLock. Target does not have your SSN, your address or anything else mixed in with their credit card data.

What was disclosed was credit card info, enough so that people can use the information to make bogus credit cards or purchase stuff online. That is all. The bad news is if a debit card was used with a PIN that can be used at an ATM almost anywhere in the world to withdraw money. Most banks are going to eat the loss on this, but that isn’t credit card fraud and is handled entirely differently.

Bank fraud is prosecuted in the US and they are pretty serious about it. Credit card fraud is covered by merchant insurance and unless the card issuer makes an issue out of it, no law enforcement agency will touch it. Local police, FBI, Secret Service, whatever, there isn’t anyone in the picture with enough of a loss to interest anyone.

Now, if you can convince the card issuer to make you pay for the fraudulent purchases, then you have standing and can file a criminal complaint. If you lose more than $5,000, the FBI will be interested as well. But that would be expensive and useless just to make a point.

I just finished reading the NYTimes story on Albert Gonzalez, and Yastremski was being actively investigated for handling card dumps being sold by Gonzalez. Gonzalez also it seems according to the story said he did not think that Yastremski would leave the Ukraine … and that was his (Yaz’s) undoing; No extradition treaty exists between US and Ukraine.

I feel it does some good filling out the forms at those government sites for fraud tracking information, which I feel at a minimum, helps gather statistics on the over all problem. I was reading about a criminal ring that got busted, and the data helped them show how the defendants did their dirty work. I was said in the article that the data did help in prosecuting the crime ring. Even if they can’t be tied to the actual crime that affects any one individual the data is still useful.

Without it, many in law enforcement would never be able to learn how to fight or prevent it. NCIC is setup to analyse such trends and help LEOs determine anti-crime efforts, and preventative moves, and give them a statistical back drop for any local prosecutions they finally institute. It is always worth it to file a report – especially since you could end up the butt of anything bad that happens. This leaves a trail, that you can use to defend yourself against any mistaken identity issues or false accusations that you were the miscreant instead of the cracker.

I thought I would be safe, as I have poor credit. Sadly, with this poor credit of mine, the only type of card I could use over and over with my name on it was a GreenDot re-loadable. Well, I shopped at Target for Xmas presents and just today realized my balance was wiped out! (minus $1,81). Over $1,200.00 was spent in Araraquaras, Brazil (multiple purchases over two days it turns out). I have no idea if the investigative process will lead to my recovering the stolen money but I’ll tell you this: They took from an already broke individual and literally prevented me from buying school supplies for my child. Despicable! I guess even we poor bastards are still worth stealing from.
nye

I never said Target had lost anything outside of credit card data. However, carder sites are quite thorough in making their dumps more “fullz”. So, yes, victims of this breach should make a report for their records in case they fall victim to identity theft.

Paul–
You keep saying there won’t be any ID theft associated. I didn’t think there would be either because how could they with just my CC number?

I used my cc at Target during the breach, and have been diligently checking online for fraudulent charges.

Last week I received 2 letters in the mail from card issuers providing explanations about why they declined my recent application. (I did not apply for these cards.) I got my credit reports and noticed an inquiry from ATT Wireless. The next day, I got a postcard in the mail thanking me for switching to paperless billing for my new account. I did file a police report as that’s what the FTC says is required to get further info from businesses about what is going on. Turns out they won’t give that info up without a subpoena. The officer assigned to my case called the ATT store in NYC where the account was opened and got a physical description of the person who opened the account. No calls have been made on the account, which leads me to believe the phone was fenced.

Can I prove that my identity has been stolen due to the Target breach? Nope. But it is awfully suspicious timing, don’t you think?

Paul,
So you work for Target? Your certain they do not have PII mixed in with PCI data? You would have thought the same about the State of South Carolina, but look what was lifted there. I have been in the trenches for over 28 years, I was in the card business when PCI and PII all came into light. I wrote card member agreements to include this information as part of my job. You would be surprised at how poorly mismanaged data can be. As you walk through the trenches of data, keep in mind, PCI is not required, it is an optionally adopted standard. All I am saying, is being a victim of fraud and identity theft myself, I have to say I assume the worse because I have seen just how bad it can get

If you apply for a Target credit card in store, you enter your SSN, birthdate, and other PII directly ONTO THE POS SYSTEM How many people have now lost this info because, while Christmas shopping, they decided they’d want to save 5% on their purchases, and how come none of this has been mentioned in the media yet?

Here’s the thing, you’re talking about 1 device, but 2 different systems, and it depends on how the breach happened. If they were able to compromise the pin devices, then it’s possible that red card application via the pun device could be compromised. That said, there is no indication they have that data. I’ve been on the major carding forums and not once have I seen such data for sale. To be honest, even if the pin devices were compromised, I doubt they thought about red card applications.

Indeed, it is a bit presumptuous to jump to conclusions with the limited data available, but it certainly sounds like the POS terminals communicated with a back-end server on Target’s network and those communications weren’t encrypted at the POS.

Sadly, even though this should be a criminal matter against Target if they implemented such a system in the first place, credit card security agreements are so lax that they basically come down to each company writing their own procedures and promising to follow them. Target could have written a procedure that allows them to do just this.

Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply

A suggestion I have given to many people who use these sorts of reloadable prepaid debit cards is to get two (it is legally fine to do). On one card store your cached up money; on the other card, use it only as a temporary card that is used only for transactions. Do not use the other card for transactions. This protects you greatly.

Via these places’ sites, you can do either free or very cheap account to account transfers with or without linking the accounts (I recommend you do NOT link them; this may cost you a few cents in fees but it is more secure, but some places allow for granularity or inability to pull from one card to another if one gets ‘overdrawn'; only you know your ability to decide what amount of risk you are willing to put up with versus how much you can afford to pay for fees; if you do this 1-2x a week you will likely pay 5-10$ a month at most).

Assuming you are doing mobile banking, as this is the only viable way to do these cards, you would simply go online and transfer what you need to the ‘card you are using places’ at any given time before you went out to the ATM (your better option for day to day purchases) or to the store (if you wish to complete larger transactions). It may make sense to just do this weekly if you are able to handle that level of risk, but in general you are probably better off dealing with cash in the US if you are spending less than 300-500$ a week. My understanding is greendot, like most of those companies, is quite bad with disputes, in part because they know that they are dealing with people they perceive they can get away with screwing over who can’t give them too hard of a time.

If it is a credit issue, there are a few American banks that do not use chexsystems or similar reports to issue checking accounts, and there are forums dedicated to people who have been denied accounts because of those reports along with lists of banks that do not check. A bank instead of a third party debit card issuing company issuing cards from a bank will make your life a lot less problematic if your cards get stolen or misused. Either method though should protect you quite a bit more.

Lorum,
By the way it’s spelled Lorem Ipsum = On the other hand, we denounce with righteous indignation and dislike men who are so beguiled and demoralized by the charms of pleasure of the moment, so blinded by desire, that they cannot foresee the pain and trouble that are bound to ensue; and equal blame belongs to those who fail in their duty through weakness of will, which is the same as saying through shrinking from toil and pain.

Second point
The site is stating that PCI can be applied. PCI is only a standard and recommended to merchants. It is not a regulatory requirement unless the regulatory agency has stated as such in a standard provided to a specific industry.
Did you know one of the two card issuers Visa or Master Card do not use the PCI Standard but NIST 800-53 and others? I will not say which one, but I am just pointing out that this is not a requirement, it is a recommended standard and there are many others that may be recommended.